procedure even(n:N) :bool <=
if ?0(n) then true
else if ?0(−(n)) then false
else even(−(−(n))) end end
Figure 5.1: Procedureeven that decides if a natural number is even Organization of this chapter. In Section 5.1 we describe the general architecture for inductive proofs in
X
eriFun. In Section 5.2 we show how well-founded relationscan be obtained from data structure definitions and from procedures that have been proved terminating. In the example above, is the well-founded relation that is obtained from the definition of data structureN.We consider the synthesis of induction formulas based on these well-founded relations in Section 5.3. The induction formulas are proved by so-calledsymbolic evaluation. Section 5.4 presents the extensions of
X
eriFun’scalculus for symbolic evaluation that facilitate reasoning aboutλ-expressions and second-order procedures.
Sequent hH,IH goali is true iff for all terminating programs P0 ⊇P, all grounding type substitutionsθ∈GndSubstΩ(P0)(τ1, . . . , τn), and all values q1, . . . , qn with qi∈V(P0)θ(τi) for alli= 1, . . . , n, the conjunction of
• evalP0(h[~q]) =true for all h∈H and
• evalP0(ih[~q, ~q0]) = true for all ih ∈ IH and all values q01, . . . , q0n with q0i∈V(P0)θ(τi) for alli= 1, . . . , n
entails evalP0(goal[~q]) =true.
In
X
eriFun, formulas are proved by using a sequent calculus, called the HPL-calculus [73, 91, 95], where HPL abbreviates Hypotheses, Programs, and Lemmas. The set of sequents hH,IH goali defines the language of the HPL-calculus. Each proof rule of the HPL-calculus transforms a sequent into a finite set of sequents. A proof is represented by a finite proof tree whose nodes are labeled with sequents. For a formula∀x1:τ1, . . . , xn:τn. b, the root node is given by theinitial sequenth∅,∅bi. The labels of the child nodes are obtained by applying a proof rule to the label of the parent node.Each proof rule is sound in the sense that the truth of all child sequents entails the truth of the parent sequent. If each leaf of the proof tree is of the formh. . ., . . .truei, the proof tree isclosed, and we thus have a proof of the formula.
In our context, the following proof rules of the HPL-calculus are of par-ticular interest (for further proof rules see [73, 91, 95]):
Induction creates the base and step sequents for an initial sequent wrt. a well-founded relationR:
h∅,∅goali
hH1,IH1 goali, . . . ,hHn,IHngoali
In Section 5.3 we describe in detail how the base and step sequents IndFormR(goal) = {hH1,IH1 goali, . . . ,hHn,IHn goali} for an initial sequenth∅,∅goali are computed.
Simplification applies an automated theorem prover, the so-called sym-bolic evaluator [73, 91, 95], to a sequent. Starting with the goal term goal of a sequent, the symbolic evaluator iteratively applies in-ference rules of theevaluation calculus to this term until a termgoal⊥ is obtained to which no further evaluation rule can be applied:
hH,IH goali hH,IH goal⊥i
We look at the aspects of symbolic evaluation concerningλ-expressions and second-order procedures in Section 5.4.
Use Lemma applies an instance of a lemma lemmaname <=∀x1:τ1, . . . , xn:τn. b
to a goal term goal at some term position π ∈Pos(goal). Term sub-stitutionσ instantiates the universally quantified variablesx1, . . . , xn:
hH,IH goali
hH,IH goal[π←if{σ(b),goal|π,true}]i
Induction hypotheses from IH can be used in the same way by con-sidering them as lemmas.
Apply Equation replaces a subterm of goal with an equal term. All lem-mas and induction hypotheses are represented by (disjunctive) clauses.
Thus a conditional equation c1∧. . .∧cn → l=r is represented by a clauseC={¬c1, . . . ,¬cn, l=r}, for instance.
For a clause C with l=r ∈C, a term substitution σ that instantiates the universally quantified variables ofC, a term positionπ ∈Pos(goal) withσ(l) =goal|π, andC0 :=C\ {l=r},Apply Equation is defined by
hH,IH goali
hH,IH goal[π←if{NOR(σ(C0)), σ(r),goal|π}]i ,
whereNOR(σ(C0)) is a Boolean term that represents the conjunction of the negated literals inσ(C0).
X
eriFun’s Verify Tactic builds a proof tree by heuristically applying some proof rules. A proof typically starts with Induction wrt. an induction axiom suggested by the system’s induction heuristic [83, 85].2 Then the tactic tries to close the proof tree by applying Simplification to the child nodes. It also employsUse Lemma andApply Equation to use heuristically helpful induction hypotheses if they have not already been used by the previousSimplification.Each lemma and each procedure of a program P has a certain status ∈ {ignored,ready,terminating,verified} [73, 91, 95]. A lemma possesses status ignored if it uses a procedureproc with a status different from verified(for
instance, because termination of procedure proc has not been proved yet) or if a context hypothesis of the lemma has status different from verified (i. e., it is not yet confirmed that the context requirement of all function symbols occurring in the lemma are satisfied);
ready if all procedures that the lemma calls and all context hypotheses possess statusverified, but the proof tree of the lemma is not closed;
2We did not need to modify the induction heuristic for our approach.
verified if all procedures that the lemma calls and all context hypotheses possess statusverifiedand the proof tree of the lemma is closed.
A procedureproc possesses status
ignored if proc calls a procedure with a status different from verified or if no termination hypotheses have been generated forproc yet;
ready if all procedures that proc calls possess status verified and there ex-ists some termination hypothesis for proc with status different from verified;
terminating if all procedures thatproc calls possess statusverifiedand there exists a (finite) set of termination hypotheses for proc with status verifiedand some context hypothesis possesses a status different from verified;
verified if all procedures that proc calls possess status verified and there exists a (finite) set of termination hypotheses for proc with status verifiedand all context hypotheses of proc possess status verified.